Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior

ABSTRACT

A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.

RELATED APPLICATION

This application claims priority from co-pending provisional U.S.Application Ser. No. 60/654,181, filed Feb. 18, 2005. This applicationalso claims priority from copending U.S. application Ser. No.10/034,996, filed Dec. 28, 2001.

FIELD OF DISCLOSURE

The disclosure is directed to software for interacting with a database,and in particular, to software for interacting with databases thatinclude encrypted data.

BACKGROUND

It is difficult to detect advanced attacks on data and data misuse bymonitoring only one system layer. It is likewise difficult to attainacceptable performance in using external policy driven encryptionsystems.

One difficulty arises because large amounts of encrypted data areexposed when providing an efficient search on encrypted data. Inaddition, large amounts of sensitive data are exposed when usingeffective performance optimization to offload cryptographic operations.This results in exposure of data in memory or disk, outside of thecontrol of the security/encryption system.

SUMMARY

In general, in some aspects, a method for controlling data access in adata-at-rest system includes executing a link intrusion preventionanalysis between multiple layers of the data-at-rest system, introducinga privacy policy at enforcement points that span multiple system layers,and dynamically altering the privacy policy.

In some implementations, the method includes one or more of thefollowing features. The data-at-rest system is a database system. Themethod further includes modifying the protection of data at one of themultiple system layers. The step of modifying is performed based on aresult of the link intrusion prevention analysis. The privacy policyincludes access control information. The privacy policy includesintrusion detection information. The privacy policy includescryptographic information.

In general, in some aspects, a method for controlling access to adatabase system includes assigning a first access criterion and a secondaccess criterion to a user role, receiving a query from a user, the userhaving an access history, determining that the user matches the userrole, comparing, in a first system layer, the access history to thefirst access criterion, and comparing, in a second system layer thatdiffers from the first system layer, the access history to the secondaccess criterion.

In some implementations, the method includes one or more of thefollowing features. The first access criterion comprises a privacypolicy. The method further includes learning a value for the firstaccess criterion. The method further includes selecting a response tothe query, wherein the response is selected from the group consisting ofblocking the query, alerting a system administrator and allowing thequery, and allowing the query. Selecting a response to the querycomprises selecting a response to the query based on a result of thestep of comparing in a first system layer.

In general, in some aspects, a method for accessing data includes in afirst system layer, receiving a first request from a user, the userhaving an access history, the access history including a counter, in thefirst system layer, comparing the counter to a first threshold,transmitting a second request to a second system layer, the secondrequest being based on the first request:

In some implementations, the method includes one or more of thefollowing features. The method further includes comparing the counter toa second threshold. The counter includes a scorecard. The method furtherincludes determining that the counter exceeds a third threshold, andalerting a system administrator. The method further includes, in thefirst system layer, transmitting a notification to the second systemlayer to deny the second request.

Other general aspects include other combinations of the aspects andfeatures described above and other aspects and features expressed asmethods, apparatus, systems, program products, and in other ways.

Advantages and features will become apparent from the followingdescription and claims.

DESCRIPTION OF DRAWINGS

FIGS. 1, 3 and 6 are block diagrams of database systems.

FIGS. 2A, 2B, 2C, 4A, 4B, and 5 are flow charts.

DETAILED DESCRIPTION

The system described herein is intended to be integrated into thatdescribed in copending U.S. application Ser. No. 10/034,996, filed Dec.28, 2001, and entitled METHOD FOR INTRUSION DETECTION IN A DATABASESYSTEM, the contents of which are herein incorporated by reference.

A method and system for overcoming the foregoing difficulties providesfor the introduction of a privacy policy with enforcement points thatspan multiple system layers. The privacy policy is coupled with linkintrusion prevention analysis between multiple system layers. The scope,both in data and in time, for enforcing data privacy and encryption isthen dynamically optimized between multiple system layers.

As used herein, multiple system layers includes application databasesessions, table data access, table space access, and database file levelaccess. The term “transaction” is intended to include queries. The term“data at rest” is intended to include all forms of stored data. A“data-at-rest system” includes any system for storing data.

In a system for overcoming the foregoing difficulties, selected rulescontrol the amount of data that is exposed, and the time window forexposure of unencrypted data. A policy underlying the selected rulesdefines the extent to which data privacy is to be enforced forparticular data. This extent, which includes the extent of theparticular data exposed and the duration of such exposure, is determinedon the basis of the sensitivity of the particular data.

Dynamic control over the extent and duration of unencrypted-dataexposure required to satisfy a user transaction is provided by linkingthe intrusion detection point (“IDP”), the policy enforcement point(“PEP”), the audit generation point (“AGP”), and the data-at-restencryption point (“DEP”). These scopes are controlled by an operationalsensitivity class defined in the policy. The operational sensitivityclass defines what rules to check and when to do so by linking the IDP,the PEP, the AGP, and the DEP.

At the intrusion detection point, a scorecard is provided to accumulateviolation attempts. On the basis of the number of violation attempts,session statistics, and data access statistics spanning multiple systemlayers, one can determine whether a threshold indicative of an attackhas been reached.

A system as described above enhances the ability to detect advancedattacks on data as well as instances of data misuse. The system alsoreduces the extent to which data is exposed and outside the control ofthe security/encryption system, both in terms of the amount of databeing exposed and the duration of such exposure. In addition, the systemenables effective performance optimization and offloading ofcryptographic operations.

In an exemplary security system 116, depicted in FIG. 1, a user 115communicates through a client 114, which interacts with an applicationserver 113. The application server 113 communicates with a PEP 101 torequest authorization and to transmit auditing data. The applicationserver 113 also passes queries along to a database 107, which itselfcommunicates with the PEP 101 to request authorization. The databaseprocess 107 also communicates with a DEP 103 to request decryption. TheDEP 103, in turn, utilizes a hardware security module (“HSM”) 105 and asoftware security module (“SSM”) 106.

The database process 107 transmits requests to its buffer 110, which(through a process overseeing the buffer) sends audit information to thePEP 101. The buffer process then transmits requests to a file systemfile 108, which also communicates with the DEP 103 to request that afile be decrypted.

The PEP 101 communicates directly with the DEP 103 to provideauthorization for other components to decrypt files. The PEP 101interacts with the AGP 104 to store audit information. The PEP 101 callsthe IDP 102 to provide information used in determining whether a givenquery should be allowed. In response, the IDP 102 tells the PEP 101 thata given query should either be allowed, blocked, or allowed but with analert sent to the system administrator. It performs this task with theaid of intrusion detection rules 112 and a scorecard 111 associated witheach user.

The DEP 103 can be optimized to perform at a layer that allowsgranularity (e.g., operations on a table cell vs. a table vs. an entiredatabase vs. an entire file system) in compliance with a privacy policy.The DEP 103 can then dynamically dispatch an operation to be performed,either by a hardware security module (“HSM”) 105 or by a softwareencryption engine 106, or a combination thereof. The DEP 103 can operateon an in-memory database or on a disk.

Operations on different levels of granularity may be achieved, in thedepicted example, by associating the DEP 103 with multiple layers of thedatabase hierarchy. The DEP 103 is connected to The database process 107and the data store (file system) layer 108. An encryption requestoriginating at the database layer 302 permits the DEP 103 to encryptdata in an individual row, column, or cell. (It might also, however,permit a database administrator to decrypt data for which theadministrator lacks authorization.) In some embodiments, an encryptionrequest originating at the file system layer 108 permits the DEP 103 toencrypt data in an individual file system file, thereby preventing adatabase administrator from accessing sensitive data.

If permitted by the privacy policy, the DEP 103 can, under certainconditions, dynamically re-route a decryption request from a softwaresecurity module 106 to a hardware security module 105. Exemplaryconditions include having a message size larger than a predeterminedsize. This dynamic re-routing optimizes performance and offloadscryptographic operations.

Upon detecting an attack, the PEP 101 can carry out any combination ofthe following options: issuing a security alert, blocking access toselected data, disabling one or more users, and disabling a request.

FIGS. 1 and 2A-2C illustrate one example of the operation of a systemincluding a PEP 101, an IDP 102, a DEP 103, and an AGP 104. In thisexample, a database user 115 initiates a transaction through a client114, such as a web browser (step 201). The client 114 sends a request toan application server 113, e.g., a web server (step 202).

The application server 113 initiates an authentication request with thePEP 101 (step 203). The PEP 101, in conjunction with the IDP 102,verifies the user's authorization, as described in more detail below inconnection with FIGS. 5A and 5B (step 204). If the user is notauthorized (step 205), the PEP blocks the query (step 213). If the useris authorized, then the application server 113 sends auditinginformation to the PEP 101 (step 206), which the PEP 101 transmits tothe AGP 104 (step 207). Audit information includes the database user ID,the date and time, the SQL query and other action details, theoriginating machine name or IP address, and the database name.

The application server 113 then sends a request to a database 107 (step208). The database process 107 again seeks authorization from the PEP101 (step 209). The PEP 101 again in conjunction with the IDP 102verifies the user's authorization as described in connection with FIGS.5A and 5B (step 210). If authorization is granted (step 211), the PEP101 transmits the authorization to the database process 107 as well asto the DEP 103 (step 212). The authorization to the DEP 103 indicatesthat The database process 107 is permitted to access decryption keysassociated with columns to which the user 115 has access. Ifauthorization is refused, the PEP 101 blocks the query (step 213) andThe database process 107 returns an error (step 214), which the client114 propagates to the user 115 (step 215).

If the PEP 101 grants authorization, a database process 107 accesses afile 108 in the file system, through the database's buffer 110 to readthe relevant data (step 216). A computer process overseeing the buffer110 sends additional audit information to the PEP 101 (step 217), whichthe PEP 101 transmits to the AGP 104 (step 218). If the database file108 is encrypted (step 219), the file system requests that the DEP 103decrypt the file (step 220). If the DEP 103 has been previouslyauthorized by the PEP 101 in step 212 (step 221), then the DEP 103decrypts the file using a hardware security module (“HSM”) 105 and/or asoftware decryption engine 106 (step 222), and returns the requestedcontents (step 223).

The database process 107 then checks to see if any of the requestedinformation is in an encrypted column (step 224). If so, the processoverseeing the database process 107 requests that the DEP 103 decryptthe relevant columns (step 225). The DEP performs the requesteddecryption using the HSM 105 and/or the software decryption engine 106(step 226), and returns the decrypted results (step 227).

The database process 107 extracts the relevant information (step 228)and returns it to the application server 113 (step 229). The applicationserver 113 returns a result to the client 114 (step 230), which displaysa result to the user 115 (step 231).

Often, many application users will share a single database user. In someexamples, a PEP 101 connected to the database server utilizes theidentity of the application user (in addition to or instead of thedatabase user) as a factor in determining whether a given request isauthorized. The PEP 101 does this by communicating with an applicationuser mapping table located within the application server's securitysystem 312. The table contains a mapping associating the applicationuser with the database user. Real time mapping data provides informationabout which application user is using the database connection at anygiven time. In some examples, the mapping table is stored in a databasetable. In other examples, the mapping table is stored in a file. Instill other examples, the table, or simply the identity of theapplication user, is transmitted by the application server to thedatabase server during the session.

As illustrated in FIG. 3, in some examples, security components areconnected to three levels: the web or application server 301; thedatabase 302; and the data store or file system 303. Services on thesethree levels communicate across multiple channels: the data requestchannel 304; the session information channel 305; and the directoryinformation channel 306. In the depicted example, user A 309 is loggedin to an application. The application requests data, as user B 310, overthe data request channel 304, from the database. The database is runningas user C 311 on a server, and requests data, over another data requestchannel, from the data store (e.g., the file system).

Meanwhile, on the application server 301, a mapping table, whichassociates user A 309 (the application user) with user B 310 (thedatabase user), is maintained. This information may be communicated, viaa separate session information channel 305, to the database's securitysystem 307.

Examples of further details of the operation of the PEP 101, the IDP102, and the DEP 103 are provided below. The boundaries of the functionsperformed by the IDP 102, the PEP 101, the AGP 104, and the DEP 103 arenot fixed; some functions may be combined in a single component, orallocated differently between components.

A. PEP

FIG. 4A explains in further detail an example of operation of the PEP101 (see FIG. 2, steps 204 and 210). First, the PEP 101 receives arequest for authorization (step 401). The PEP 101 then retrieves theuser's identity and corresponding group, as described below inconnection with FIG. 4B (step 402). The PEP 101 then determines whetherthe user or group is authorized to access the requested data, forexample, by consulting a privacy policy or access control list (step403). If the user or group is unauthorized to access the requested data,the PEP 101 skips to step 410.

If the user or group is authorized, the PEP 101 then retrieves sessionvariables (including the time of day, day of week, IP address from whichthe user is logged in, the user's geographic location, the user'sidentity, the user's group, the user's client's software, etc.), andstores these variables as the user's “role” (step 404). The PEP 101 thencommunicates with the IDP 102 to determine whether the query is validfor the user's role (step 405). The IDP makes this determination in aprocess exemplified by FIG. 5. The PEP 101 determines whether the IDP102 allowed the query (step 406). If the IDP 102 rejects the query, thePEP 101 skips to step 410.

If the query was allowed, the PEP 101 checks to see whether the IDP 102indicated that an alert was to be sent to the system administrator (step407). If so, the PEP alerts the administrator (step 408). In eitherevent, the PEP 101 authorizes the query (step 409). If the query was notallowed, the PEP 101 denies authorization for the query (step 410).

FIG. 4B describes how, in some examples, the database's security system307 retrieves the user's identity and corresponding group in step 402.First, the PEP 101 in the database's security system 307 opens a sessioninformation channel 305 to the application server 301 (step 451). Next,the PEP 101 requests, from a mapping table in the application's securitysystem 312, the application user corresponding to the current databaseuser (for example, user B 310) (step 452). The application serverresponds, for example, that the corresponding user is user A 309 (step453).

Next, the PEP 101 opens a separate directory information channel 306back to the application server 301 (step 454). On the directoryinformation channel 306, the PEP 101 requests the group mapping for userA 309 (step 455). In a typical response, the application server 301indicates that user A 309 is a member of group X (step 456).

FIG. 4B describes the process by which the PEP 101 in the database'ssecurity system 307 retrieves information from the application server301. In some examples, the PEP 101 in the data store's security system308 requests the identity of the database user (i.e., user B 310) fromthe PEP 101 in the database security system 307 over the sessioninformation channel 305. The PEP 101 in the data store's security system308 may also ascertain the database user's group over the directoryinformation channel 306.

In some examples, the PEP 101 in the data store's security system 308can identify the application user by requesting the information from thePEP 101 in the database's security system 307, which then relays thequery to the application server's mapping table 311. Similarly, in someexamples, the PEP 101 in the data store's security system 308 canascertain the application user's group, by requesting the informationfrom the PEP 101 in the database's security system 307, which thenrelays the query to the mapping table 311 in the application server.

In some practices, a database's security system 307 (for example,through its PEP 101) notifies other layers to indicate that a severeattack has occurred. In some practices, the IDP 102 in the applicationserver's security system 312 receives this notification and subsequentlyblocks all access attempts that would otherwise have only triggered analert to the system administrator. In some practices, the DEP 103 in thedata store's security system 308 receives this notification and blocksall subsequent requests to decrypt data.

One example of these practices is provided where a PEP 101 detects thatauthorized access to credit card information at the database levelexceeds normal usage, but not is not at a critical level. The PEP 101,in this example, modifies a privacy policy to instruct the applicationserver's security system 312 to block further access attempts. Inanother example, the PEP 101 in the application server's security system312 detects multiple hacking attempts from multiple locations. Thesecurity system 312 modifies a privacy policy to block requests at theapplication server 312 level, increase file security at the data store'ssecurity system 308, and prevent the data store's security system 308 aswell as the database's security system 307 from decrypting sensitivedata.

B. IDP

In some embodiments, the IDP 102 has a learning mode and an enforcementmode. In learning mode, the IDP 102 acquires information about users ofthe system, including the typical time of day and day of week duringwhich they access the system, the resources they usually access, theirphysical location or IP address, and the volume of data they usuallyaccess. In some examples, the IDP 102 maintains a Bayesian network toassociate authorized accesses with these variables. In other examples,other types of learning may be used. When the IDP 102 is in enforcementmode, it denies access to a user when the time or day of access, theresources accessed, the user's location or IP address, or the volume ofdata requested exceeds a learned threshold or differs from learnedvalues. The IDP 102 optionally alerts a system administrator when any ofthese criteria exceeds a learned threshold or differs from learnedvalues.

In some embodiments, the IDP 102 accepts user logins only during certaintimes of day, or only on certain days of the week, or only from certainphysical locations. In some examples, the IDP 102 learns how thesecriteria should be restricted. In other examples, the systemadministrator manually enters restrictions. In some examples, the systemadministrator manually changes restrictions, for example, to temporarilyallow a particular user to log in from a distant location when the useris on vacation.

In some embodiments, the IDP 102 restricts the volume of data a user mayaccess in a given day. In one example, the IDP 102 permits a user toaccess only a predetermined number of rows per day from a given table.In another example, the IDP 102 permits a user to issue only apredetermined number of queries per day in a given table. In otherexamples, the user is restricted to a given volume of data over theentire database, rather than in specific tables. In some examples, theIDP 102 uses a counter to maintain information about the volume of dataa user has accessed by means of a counter.

In some examples, an IDP 102 restricts access based on the user's role.A user's role may be based on his or her identity, the time of day, theday of week, the IP address being used, the country or geographic regionfrom which the request originates, etc. In some examples, an IDP 102located in the database server sets a maximum number of rows per dayaccessible to users in a given role. Some examples restrict the numberof rows a user in a given role may insert, or the number of rows a userin a given role may modify, or the number of rows a user in a given rolemay delete. In some examples, these values are learned while the IDP 102is in learning mode.

Some examples permit the IDP 102 and/or the PEP 101 to communicate witha trusted component running on an authorized client to further assist inuser authentication.

In some examples, the IDP 102 utilizes one or more of the followingcriteria to decide whether to permit access, block access, or alert theadministrator: session authorization (i.e., the user's identity);session authentication (i.e., the resources a user is entitled toaccess); session encryption; password integrity; database softwareintegrity; application data integrity; database metadata integrity;security software integrity; time of day of access; and signature rules(i.e., pattern matching and content analysis to detect any known attacksignature using, e.g., Snort® network intrusion detection software). Toverify data or software integrity, a hash value is stored and verifiedagainst periodically.

In some examples, the IDP 102 triggers an alert whenever a particularuser accesses an abnormally high volume of data. When this alert istriggered, the PEP 101 analyzes an audit log to ascertain whetherunusual activity is occurring. If so, the IDP 102 can disallow furtheraccesses by the current user, and/or send an alert to a systemadministrator.

An example of the operation of the IDP 102 will now be described withreference to FIG. 5. First, the IDP 102 receives a request forauthorization from the PEP 101 (step 501). The request includesinformation about the user's role (see FIG. 4A, step 404). The requestalso includes a query the user seeks to execute. The IDP 102 nextretrieves the user's scorecard 111 (including variables tracking auser's total volume of access in a given time period, e.g., total numberof rows accessed in a day, total kilobytes of data downloaded in a day,etc.) (step 502).

Next, the IDP 102 checks to see if it is in learning mode (step 503). Ifit is, then the IDP 102 updates a Bayesian network to learn that thequery is authorized for this user role (step 504). Next, the IDP 102adds data from the current query to the user's scorecard 111 (step 505).Finally, the IDP 102 transmits authorization to the PEP 101 (step 506).

If the IDP is not in learning mode, then the IDP 102 calculates theprobability that the query is allowed for the user's role (step 507). Ifthis probability is below a predetermined threshold a (step 508), thenthe IDP 102 tells the PEP 101 to block the query (step 509). If,instead, the probability is between the threshold a and a predeterminedthreshold b, where b>a (step 510), then the IDP 102 adds the data fromthe current query to the scorecard 111 (step 511), allows the query, andtells the PEP 101 to send an alert to a system administrator (step 512).If the probability is greater than the threshold b, the IDP 102 simplyallows the query (step 513).

More generally, in some examples, the IDP 102 maintains a set of ithresholds t_(i). For each interval [t_(i), t_(i+1)), a different actionk_(i) is defined. If the probability that the query is allowed is withinthe interval [t_(i), t_(i+1)), then the action k_(i) is performed.

In some examples, the IDP 102 increments the value on the scorecard 111in response to accesses, or attempted accesses, to sensitive resources.In some examples, sensitive resources include access to prespecifiedapplications and prespecified network addresses. In other examples, theIDP 102 increments the value of the scorecard by a greater amount inresponse to a failed or disallowed attempt to access the sensitiveresource.

C. DEP

FIG. 7 depicts an example of interaction between a DEP 601 connected toa database 603 and a DEP 602 connected to a file system 604. In oneexample view 605, two columns are encrypted, but the table itself isnot. In this example, authorization is handled entirely by thedatabase's DEP 601. In a second example view 606, one column isencrypted, and the table is encrypted as well. In this example, thedatabase's DEP 601 provides the decryption key for the column, while thefile system's DEP 602 provides the decryption key for the table. In thisexample, a database administrator would be precluded from accessingsecure data due to the table-level encryption. In the third example view607, no columns are individually encrypted; but the table is encrypted.In this example, the file system's DEP 602 provides the decryption key.

In some examples, when a PEP 101 determines that a given query is to beblocked, it performs one or more of the following tasks: disconnectingthe user; denying access to cryptographic keys; writing a record in alog file; and sending an error return code, coupled with no data, backto the requesting application.

In some examples, the PEP 101 includes a machine and programauthorization (MPA) component. This component prevent or restrict userswith valid login names and passwords from connecting to the databaseunless they access the database from a machine that has beenpreauthorized. Machines are authorized if they have an authorized IPaddress, and additionally, if they are able to specify both the port onwhich the database server is listening and the name of the database.

In some examples, the PEP 101, IDP 102, DEP 103, and AGP 104 are part ofthe Protegrity™ Secure.Data server, which is available from ProtegrityCorporation of Stamford, Conn.

It is to be understood that while the invention has been described inconjunction with the detailed description thereof, the foregoingdescription is intended to illustrate and not limit the scope of theinvention, which is defined by the scope of the appended claims.

1. A method for controlling data access in a data-at-rest system, themethod comprising: executing a link intrusion prevention analysisbetween multiple layers of the data-at-rest system; introducing aprivacy policy at enforcement points that span multiple system layers;and dynamically altering the privacy policy.
 2. The method of claim 1,wherein the data-at-rest system is a database system.
 3. The method ofclaim 1, further comprising modifying the protection of data at one ofthe multiple system layers.
 4. The method of claim 3, wherein the stepof modifying is performed based on a result of the link intrusionprevention analysis.
 5. The method of claim 1, wherein the privacypolicy comprises access control information.
 6. The method of claim 1,wherein the privacy policy comprises intrusion detection information. 7.The method of claim 1, wherein the privacy policy comprisescryptographic information.
 8. A computer-readable medium containinginstructions for causing a computer to perform the method of claim
 1. 9.A method for controlling access to a database system, the methodcomprising: assigning a first access criterion and a second accesscriterion to a user role; receiving a query from a user, the user havingan access history; determining that the user matches the user role;comparing, in a first system layer, the access history to the firstaccess criterion; and comparing, in a second system layer that differsfrom the first system layer, the access history to the second accesscriterion.
 10. The method of claim 9, wherein the first access criterioncomprises a privacy policy.
 11. The method of claim 9, furthercomprising learning a value for the first access criterion.
 12. Themethod of claim 9, further comprising selecting a response to the query,wherein the response is selected from the group consisting of blockingthe query, alerting a system administrator and allowing the query, andallowing the query.
 13. The method of claim 12, wherein selecting aresponse to the query comprises selecting a response to the query basedon a result of the step of comparing in a first system layer.
 14. Acomputer-readable medium containing instructions for causing a computerto perform the method of claim
 9. 15. A method for accessing data, themethod comprising: in a first system layer, receiving a first requestfrom a user, the user having an access history, the access historyincluding a counter; in the first system layer, comparing the counter toa first threshold; and transmitting a second request to a second systemlayer, the second request being based on the first request.
 16. Themethod of claim 14, further comprising comparing the counter to a secondthreshold.
 17. The method of claim 14, wherein the counter comprises ascorecard.
 18. The method of claim 14, further comprising: determiningthat the counter exceeds a third threshold; and alerting a systemadministrator.
 19. The method of claim 14, further comprising: in thefirst system layer, transmitting a notification to the second systemlayer to deny the second request.
 20. A system comprising: acomputer-readable medium as recited in claim 14; and a computer in datacommunication with the computer-readable medium.